How do you control password resets in your environment? I’ve worked for numerous companies where their forgotten password reset process was all over the board. Hopefully you have a process in place that allows you to sleep at night. Even with the best policies and procedures in place, what happens when someone on your help desk staff resets a users password to some default password and forgets to set the account so the password has to be changed at next logon? Is the user still using that default password weeks later?

I decided to write a PowerShell script to test user accounts for just that exact scenario.

Test-MrADUserPassword

PowerShell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

#Requires -Version 3.0 -Modules ActiveDirectory

functionTest-MrADUserPassword{

<#

.SYNOPSIS

Test-MrADUserPassword is a function for testing an Active Directory user account for a specific password.

.DESCRIPTION

Test-MrADUserPassword is an advanced function for testing one or more Active Directory user accounts for a

Be sure to test this and to get permission from someone in your chain of command before running it in a production environment. Be careful when using this function because it does count as a failed login for the user account if the password doesn’t match. It will show up on your audit login failures report if you’re performing any type of auditing for login failures. You could also end up locking out the user account if you run this enough times to meet the account lockout threshold set in your domain or in the fine grained password policies if they’re enabled in your environment.

Update: While at the PowerShell + DevOps Global Summit this week, I was discussing this function with a group of attendees and I discovered that there’s a better way to accomplish this task. I’ll post a follow-up blog article next week.

My Speaking Engagements

User Groups

Disclaimer

All data and information provided on this site is for informational purposes only. Mike F Robbins (mikefrobbins.com) makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.